Critical Palo Alto Networks Firewall Flaw Under Active Exploitation: Root RCE Awaits Patches

Critical Palo Alto Networks Vulnerability Under Active Exploitation

Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The threat landscape just shifted dramatically for organizations relying on Palo Alto Networks firewalls—and time is running out before patches arrive.

Vulnerability Details: CVE-2026-0300

The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets.

A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

Attack Vector and Risk Assessment

The severity rating depends on network configuration. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any untrusted network. The severity comes down to 8.7 if access to the portal is restricted to only trusted internal IP addresses.

This distinction matters critically: organizations following security best practices with restricted portal access face lower immediate risk, but those exposing the User-ID Authentication Portal to untrusted networks are in the crosshairs of active exploitation campaigns.

Active Exploitation Confirmed

According to Palo Alto Networks, the vulnerability has come under \"limited exploitation,\" specifically targeting instances where the User-ID Authentication Portal is publicly accessible. The fact that exploitation began as early as April 9—before public disclosure—indicates threat actors were working the vulnerability in the wild before Palo Alto Networks formally announced it.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on May 6, 2026, added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes or mitigations by May 9, 2026. The rapid addition to CISA's KEV catalog underscores the severity and active exploitation status.

Patch Timeline and Interim Mitigations

While fixes are expected to be released starting May 13, 2026, organizations cannot afford to wait passively. In the absence of a patch, users are advised to either restrict User-ID Authentication Portal access to only trusted zones, or disable it entirely, if it's not required.

Customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it's not used. As additional mitigation, the company is recommending that organizations disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress.

Scope of Impact

The company said the vulnerability is applicable only to PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal. Critically, this issue does not impact Cloud NGFW or Panorama appliances. However, given the widespread deployment of PA-Series and VM-Series firewalls in enterprise environments globally, the affected infrastructure base remains substantial.

What Organizations Must Do Now

The exploitation window is razor-thin. With patches arriving May 13 and threat actors already testing the vulnerability, the 72-hour window between now and patch availability is critical:

• Immediate Action: Audit your firewall configurations to identify whether User-ID Authentication Portal is exposed to untrusted networks. If yes, disable it or restrict access to known-good internal IP ranges immediately.
• Response Pages: Implement Palo Alto's recommended mitigation to disable Response Pages in Interface Management Profiles on all L3 interfaces where untrusted traffic can ingress.
• Patch Planning: Schedule firmware updates for May 13 or immediately after patches are validated internally. Do not delay.
• Log Review: Search firewall logs dating back to April 9 for suspicious traffic patterns targeting the User-ID Authentication Portal service, particularly unusual HTTP/HTTPS requests with malformed data.
• CISA Compliance: Federal agencies are already under mandatory mitigation deadlines. Private sector organizations should treat this with equal urgency.

The Broader Context

This CVE represents a dangerous pattern emerging in 2026: Mandiant's M-Trends 2026 report found that time-to-exploit has effectively gone negative — exploits are now routinely arriving before patches, with 28.3% of CVEs exploited within 24 hours of disclosure. The Palo Alto Networks vulnerability exemplifies this threat acceleration, with exploitation attempts preceding public disclosure by weeks.

Firewall appliances occupy a critical position in network infrastructure, and compromise of a firewall grants threat actors unprecedented access to internal network segments, encrypted traffic inspection capabilities, and lateral movement opportunities. Root-level code execution on a PA-Series firewall is not a degradation of service—it's a complete infrastructure compromise.

Final Word

Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk. But those running exposed portals are in immediate danger. The next 48 hours determine whether this incident results in detection of exploit attempts or silent compromise of critical infrastructure. Act now.